Skip to main content
Warning This document has not been updated for a while now. It may be out of date.
Last updated: 17 Nov 2023

govuk-dependabot-merger: ADR 4: Ignore subdependencies

Date: 2023-11-17


This ADR supersedes ADR 2, which argued that we should ignore any Dependabot PRs that bump allowlisted dependencies, if those PRs also bump subdependencies that are not on the allowlist.

In the first three months that this service was active, only one Dependabot PR satisfied that rule, and thus the service only auto-merged a single PR.

In practice, most PRs lump in a number of subdependency updates (see example). This is Bundler’s native behaviour when it updates a dependency. Bundler does allow a --conservative flag to bundle update <gem name> that prevents that, but there's currently no equivalent config option for Dependabot.

A Google document was written, explaining this issue and possible ways forward. It concluded that for the auto merger service to be at all useful, we'll need to relax the rules around subdependency updates.


We've dropped the rule that prevents subdependency bumps.


This has already led to an immediate uptick in the number of PRs the auto merger will merge (see example).

This does introduce a small but acceptable attack vector, described further in the linked Google doc.